Enpass Password Manager: Tom's Mac Software Pick

Keep Your Login Information Secure While Automating the Login Process

Enpass password manager items list
Courtesy of Sinew Software Systems

Enpass is a cross-platform password manager that works on Macs, Windows, Android, iOS, Blackberry, and Linux. Its strength is its ability to make your login information available to you no matter where you are or what type of device you're using.

Pro

  • Desktop versions of Enpass are free.
  • Browser extension allows Enpass to capture login data, as well as complete login data fields for you.
  • Uses Open Source SQLCipher 256-bit AES encryption engine.
  • Supports TOTP (Time-based One Time Password)
  • Doesn't store your data on any Enpass servers.

Con

  • Mobile pro versions require a one-time fee.
  • Enpass for Mac comes in two different confusing versions.

Enpass from Sinew Software is a mostly free password manager for the Mac. I say mostly free because while the desktop version of the Enpass app is free, the mobile version is offered in a limited-use format for free, or in a pro version for a one-time fee of $9.99 per mobile platform.

We're going to concentrate on the Mac desktop version, though I've been told that all of the desktop versions of Enpass have almost the same features.

The "almost the same features" has to do with how Apple and the Mac App Store license the use of iCloud for syncing data. Versions of Enpass you download from the Mac App Store are able to use iCloud to sync login information between multiple devices, your Mac and iPhone, for example, while the version directly available from the developer's website doesn't support using iCloud for login syncing.

The version we're reviewing happens to be the one available from the Mac App Store with iCloud syncing.

Installing Enpass

Enpass is downloaded and installed automatically from the Mac App Store. There are, however, a few steps you need to take the first time you launch Enpass.

You start by setting up a secure AES-256 bit encryption vault to store your passwords, logins, and just about any other data you wish to keep encrypted.

This makes Enpass a good option for storing credit card data and banking information.

Enpass uses a master password to unlock access to the vault. You should pick a password that is easy for you to remember, but one that is long (at least 14 characters), has numbers and special characters and mixes upper and lower case letters. Enpass warns you that it has no way of recovering the master password, so make sure it's something you'll remember; perhaps you should also keep the password in a safe place, just in case.

Enpass doesn't force you to use a complex master password, but since anyone who can guess your master password can gain access to all of your passwords, it's a good idea to spend some time coming up with a secure 14-character or more password that you'll remember.

Using Enpass

Once you have set up the master password and completed the launch of the app, Enpass will display its classic three-pane window. The sidebar includes various categories for items in your Enpass vault, including Login, Credit Card, Finance, License, Password, and more.

The center pane contains a list of items associated with the selected category, while the third pane lists the details about the selected item.

You can use Enpass just as it is, with the simple three-pane interface and its encrypted vault to hold your information. But the real strength of Enpass becomes apparent when you make a visit to the app's preferences to set up the browser extension, syncing options, and security settings.

Browser Extensions

The browser extension allows Enpass to communicate with your browser and use it to auto-submit logins to websites, with no need to copy/paste the login data; Enpass can fill in the necessary login information for you. It can also use the same technology to auto-fill credit card information when you're shopping online, and it can save new login data whenever you sign up for a web-based service; Enpass can remember the website and the login data you created.

Enpass can also help you with picking a password on the web by generating strong passwords for you. This is one of the best features of any password manager; the ability to generate very strong passwords that you don't need to remember, because the password manager, Enpass, in this case, will remember them for you.

The browser extension needs to be manually installed, but the Enpass preference settings can walk you through the process.

Syncing Options

Enpass can sync your data using one of seven different methods. You can choose from Dropbox, iCloud, Google Drive, OneDrive, Box, Folder, or WebDev/ownCloud.

Selecting one of the Sync options causes Enpass to use the selected cloud-based storage system as the destination for its automatic backups. Backups are encrypted, and you control when Enpass syncs with the cloud-based backup.

Security Options

Security options in Enpass's preferences are a bit basic, but serviceable for most users. You can specify how long the Enpass app will remain unlocked after it has been opened, as well as how long before the clipboard is cleared. Remember, the clipboard is used to automate the copy/paste function of filling in or capturing login details. So, clearing out the clipboard needs to be performed to ensure your login or credit card data remains unavailable to others.

TOTP (Time-based One Time Passwords

Enpass supports TOTP, a method for generating single-use passwords for an even more secure transaction over the Internet.

The idea of TOTP is simple enough; make transactions more secure by using passwords only once.

This way, should anyone intercept the password or login credentials, they're of little value since they would have already been used and are no longer valid.

Enpass uses the TOTP system adopted by the Internet Engineering Taskforce. This system uses a secret key that is shared between the TOTP system running on Enpass, and a TOTP system running on the website you're logging into. The TOTP system uses cryptography to combine the shared key with the current time on your Mac to generate a hash-based message authentication code (HMAC). It's the HMAC that's sent to the website as the one-time password.

The remote website verifies this is the correct HMAC by using the shared secret key and its own current time to generate a matching HMAC. Because the HMACs are time-sensitive, most TOTPs have a range in which the HMAC remains valid. Thirty seconds is a common valid range for HMAC-based passwords to remain valid. If not used within that time frame, a new HMAC has to be generated.

For TOTP to work, both the website and Enpass must first have agreed to a secret shared key to use. This usually occurs when you first sign up for a TOTP-based service. The shared key is commonly sent by email or text message and is then added to Enpass for future use.​

Enpass handles TOTP-based websites by adding a TOTP field for storing the shared secret key. When you log into a TOTP site, Enpass knows to generate an HMAC and send it as the password.

Final Thoughts

I tried Enpass out for a week, using it to access the various websites I routinely log into each day.

I found it worked well and was able to automate the login process, one of the main goals I have for a password manager.

I was able to import a number of login items from 1Password, the password manager I routinely use. Besides being able to import from 1Password, Enpass can import data from most of the popular password managers.

I also tried syncing with another Mac in the office, using iCloud as the data source; this seemed to work well enough. Enpass auto syncs whenever you launch the app when you save data within the app, and every ten minutes when the app is in the foreground. This seems more than enough to ensure you don't sync with stale data in the cloud.

Enpass did a fine job as a password manager, storing, syncing, auto filling, and more, and it did it with no cost for the desktop versions of the app. I was also pleased to see that Enpass didn't require the syncing service to use its own web service, instead letting you pick which service meets your own needs. I generally don't store data in the cloud, and storing password data is even less appealing. Letting me choose to use syncing as well as which service to use was, in itself, a nice choice.

If you're struggling with how to keep your login, password, and other personal information safe, secure, but easily and quickly accessible, give Enpass a try.

Enpass is free for the desktop version.

See other software choices from Tom's Mac Software Picks.